Why Do Cybersecurity Risk Assessments Fail?
Over the past several months, I was asked a rather intriguing cybersecurity question. The question was posed to me by the Chief Information Security Officer (CISO) of a rather prestigious healthcare system. Before, I share that question with you, allow me to give you a little bit of context.The hospital had recently completed a rather extensive NIST 800-53 and HIPAA cybersecurity and privacy assessment conducted by a third-party. Overall, the hospital did a rather decent job during the assessment and although some gaps were found, they were not critical, and the organization had vastly matured since their prior year’s assessment. In fact, on a comparative basis they did much better than most of their industry peers of similar size and complexity.Yet, when we conducted a penetration test, the results were devastating to say the least. We were able to achieve access to several critical systems, deploy malware, exfiltrate data and do so without knowledge of their security operation center or trip any of their defensive systems.This brings us to the intriguing question that was posed to me by the CISO, “John, why is it that your team was so successful, even though our assessment showed we were doing really well from a policy, process and practice perspective?” In this episode we are going to examine the answers to that profound question.